[
https://issues.apache.org/jira/browse/DERBY-5748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13269605#comment-13269605
]
Rick Hillegas commented on DERBY-5748:
--------------------------------------
Password vetters often prevent you from re-using any previous password, not
just the current one. This would involve maintaining an audit history. I agree
that password strength checking would be useful too. For the moment,
applications will have to perform these services themselves.
> Native user authentication: SYSCS_UTIL.SYSCS_MODIFY_PASSWORD accepts old
> password
> ---------------------------------------------------------------------------------
>
> Key: DERBY-5748
> URL: https://issues.apache.org/jira/browse/DERBY-5748
> Project: Derby
> Issue Type: Improvement
> Components: Services
> Affects Versions: 10.9.0.0
> Reporter: Dag H. Wanvik
>
> Modifying the password to the same as the old one will reset the timeout
> specified in derby.authentication.native.passwordLifetimeMillis.
> This means that a lazy user can subvert the security policy embodied in the
> timeout. It would be an improvement to require a different one.
> Of course, we don't currently have any password strength checking either, so
> it may not be worth just implementing this change without making some
> configurable strength checking also.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
